Scope of data breaches raises cyber risk concerns

CERT-LatestNews ThreatsActivists

Cyber liability insurance rates remain competitive despite recent incidents, such as the massive breach of credit bureau Equifax Inc.

The size and complexity of the hacks, however, are both driving more interest in cyber liability coverage and raising concerns about exposure levels, experts say.

The Equifax breach, where hackers accessed personal information on up to 145.5 million of the firm’s customers, happened a few weeks before insurer and brokerage executives met for the Insurance Leadership Forum in Colorado Springs, Colorado, last week. While much of the discussion at the meeting centered on property catastrophe exposures in the wake of recent natural catastrophes, cyber liability was also a concern.

Equifax carried cyber liability coverage, which market sources say was led by London-based Beazley P.L.C., and the breach will likely result in a limit loss for insurers and reinsurers, they say.

The breach showed that “cyber is about as cat-exposed as property,” said Mark E. Watson, president and CEO of Argo Group International Holdings Ltd. in Pembroke, Bermuda. But insurers and reinsurers have more limited exposure to catastrophic cyber losses because cyber liability is still a relatively small market, he said.

“Not everybody provides cover, and of those that do, only a few offer big limits, so the losses are isolated to a few underwriters,” Mr. Watson said.

Recent breaches may put some pressure on pricing, but rates will move slowly, he said. And they are coming off a low base, Mr. Watson said. “If you look at pricing, it’s probably underpriced by a factor of between two and five,” he said.

High-profile breaches and the increasing complexity of the cyber attacks is driving more interest in buying cyber coverage, but capacity in the insurance market is also rising, said Alexis Faber, Memphis, Tennessee-based global head of financial lines at Willis Towers Watson P.L.C.

“There’s some increases in pricing, but it’s not significant and it varies a lot by industry,” she said.

The perception of cyber risk is increasing, but rates are not rising significantly, said Mike Foley, CEO of North America for Zurich Insurance Group Ltd., who is retiring from Zurich early next year.

“We are not seeing a massive shift in pricing on cyber, but people are more risk-aware. The challenge is being able to price and measure a risk that’s evolving,” he said.

Despite the challenges, the market is growing, said Daniel J. Kaufman, corporate senior vice president and managing director at Burns & Wilcox Ltd. in Farmington Hills, Michigan.

The wholesaler has been offering cyber liability for five years, and while few businesses bought it at first, “we see more and more uptake every month” as breaches are announced and boards of directors realize how costly breach responses can be, he said. In particular, small businesses are now more likely to buy the coverage as they realize that an uninsured breach could put them out of business, he said.

Outside of the specialty cyber liability products, insurers are tightening their underwriting of cyber exposures, said Mike Rice, CEO of JLT Specialty USA, a unit of Jardine Lloyd Thompson Group P.L.C. in Denver.

“Property carriers are looking to include absolute exclusions in their policies for cyber property risks and business interruption tied to cyber,” he said. Property underwriters usually don’t have cyber expertise, are not modeling the risk and, in the face of rising claims, are looking to exclude the risk, he said.

Insurers are increasingly looking to reinsure cyber exposures and are more frequently discussing wordings with reinsurers, said Mike Schnur, partner at TigerRisk Partners L.L.C. But, he said, “defining an event is not always easy. For example, if a foreign country hacks you, is that cyber or is that war?”